* [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
@ 2019-07-29 21:47 Kees Cook
2019-07-29 21:55 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2019-07-29 21:47 UTC (permalink / raw)
To: Jens Axboe
Cc: Jeffrin Jose T, linux-kernel, Dan Carpenter, Nick Desaulniers,
Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
Dmitry Vyukov, Alexander Potapenko, Tejun Heo
Jeffrin reported a KASAN issue:
BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
...
The buggy address belongs to the variable:
cdb.48319+0x0/0x40
Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
eject_tray()"), this fixes a cdb[] buffer length, this time in
zpodd_get_mech_type():
We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Fixes: afe759511808c ("libata: identify and init ZPODD devices")
Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2: added reported/tested-by and direct to Jens
---
drivers/ata/libata-zpodd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index 173e6f2dd9af..eefda51f97d3 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
unsigned int ret;
struct rm_feature_desc *desc;
struct ata_taskfile tf;
- static const char cdb[] = { GPCMD_GET_CONFIGURATION,
+ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION,
2, /* only 1 feature descriptor requested */
0, 3, /* 3, removable medium feature */
0, 0, 0,/* reserved */
--
2.17.1
--
Kees Cook
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
2019-07-29 21:47 [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Kees Cook
@ 2019-07-29 21:55 ` Jens Axboe
2019-07-29 21:58 ` Nick Desaulniers
0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2019-07-29 21:55 UTC (permalink / raw)
To: Kees Cook
Cc: Jeffrin Jose T, linux-kernel, Dan Carpenter, Nick Desaulniers,
Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
Dmitry Vyukov, Alexander Potapenko, Tejun Heo
On 7/29/19 3:47 PM, Kees Cook wrote:
> Jeffrin reported a KASAN issue:
>
> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> ...
> The buggy address belongs to the variable:
> cdb.48319+0x0/0x40
>
> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> eject_tray()"), this fixes a cdb[] buffer length, this time in
> zpodd_get_mech_type():
>
> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Applied, thanks.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
2019-07-29 21:55 ` Jens Axboe
@ 2019-07-29 21:58 ` Nick Desaulniers
2019-07-29 22:00 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Nick Desaulniers @ 2019-07-29 21:58 UTC (permalink / raw)
To: Jens Axboe
Cc: Kees Cook, Jeffrin Jose T, LKML, Dan Carpenter, Steven Rostedt,
Andy Shevchenko, Alexander Shishkin, tobin, Dmitry Vyukov,
Alexander Potapenko, Tejun Heo
On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
>
> On 7/29/19 3:47 PM, Kees Cook wrote:
> > Jeffrin reported a KASAN issue:
> >
> > BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> > Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> > ...
> > The buggy address belongs to the variable:
> > cdb.48319+0x0/0x40
> >
> > Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> > eject_tray()"), this fixes a cdb[] buffer length, this time in
> > zpodd_get_mech_type():
> >
> > We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> > ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>
> Applied, thanks.
Dropped my reviewed by tag. :(
https://lkml.org/lkml/2019/7/22/865
--
Thanks,
~Nick Desaulniers
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
2019-07-29 21:58 ` Nick Desaulniers
@ 2019-07-29 22:00 ` Jens Axboe
2019-07-30 4:27 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2019-07-29 22:00 UTC (permalink / raw)
To: Nick Desaulniers
Cc: Kees Cook, Jeffrin Jose T, LKML, Dan Carpenter, Steven Rostedt,
Andy Shevchenko, Alexander Shishkin, tobin, Dmitry Vyukov,
Alexander Potapenko, Tejun Heo
On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
>>
>> On 7/29/19 3:47 PM, Kees Cook wrote:
>>> Jeffrin reported a KASAN issue:
>>>
>>> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
>>> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
>>> ...
>>> The buggy address belongs to the variable:
>>> cdb.48319+0x0/0x40
>>>
>>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
>>> eject_tray()"), this fixes a cdb[] buffer length, this time in
>>> zpodd_get_mech_type():
>>>
>>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
>>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>>
>> Applied, thanks.
>
> Dropped my reviewed by tag. :(
> https://lkml.org/lkml/2019/7/22/865
I'll add it.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
2019-07-29 22:00 ` Jens Axboe
@ 2019-07-30 4:27 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2019-07-30 4:27 UTC (permalink / raw)
To: Jens Axboe
Cc: Nick Desaulniers, Jeffrin Jose T, LKML, Dan Carpenter,
Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
Dmitry Vyukov, Alexander Potapenko, Tejun Heo
On Mon, Jul 29, 2019 at 04:00:08PM -0600, Jens Axboe wrote:
> On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> > On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
> >>
> >> On 7/29/19 3:47 PM, Kees Cook wrote:
> >>> Jeffrin reported a KASAN issue:
> >>>
> >>> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> >>> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> >>> ...
> >>> The buggy address belongs to the variable:
> >>> cdb.48319+0x0/0x40
> >>>
> >>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> >>> eject_tray()"), this fixes a cdb[] buffer length, this time in
> >>> zpodd_get_mech_type():
> >>>
> >>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> >>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
> >>
> >> Applied, thanks.
> >
> > Dropped my reviewed by tag. :(
> > https://lkml.org/lkml/2019/7/22/865
Argh, sorry!
> I'll add it.
Thanks! :)
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-30 4:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 21:47 [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Kees Cook
2019-07-29 21:55 ` Jens Axboe
2019-07-29 21:58 ` Nick Desaulniers
2019-07-29 22:00 ` Jens Axboe
2019-07-30 4:27 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).